Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityLowOccasionalAZF-0049

An orphaned API Connection is a stored credential no workflow uses

An API Connection referenced by no Logic App still holds the OAuth token or API key it was authorized with, quietly outliving the workflow it was created for.

Footgun ID
AZF-0049 (Azure Footgun No. 49)
Azure service
Azure Logic Apps
Resource type
Microsoft.Web/connections
Updated
July 1, 2026

What it is

A Microsoft.Web/connections resource, the authenticated link a Logic App uses to reach a service like Office 365, SQL, Salesforce, or a storage account, that is no longer referenced by any Logic App workflow. It runs nothing, but it retains the authentication it was set up with.

Impact (governance)
No direct charge; the harm is clutter plus stored credentials that outlive their use
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

API Connections are created during the connector setup flow and authorized once, storing an OAuth token, API key, or service-principal secret so a workflow can act on your behalf. Azure does not expose a back-reference from a connection to the Logic Apps that use it, so when the last workflow referencing it is deleted or rewired, the connection is simply left behind. Nothing on the bill and nothing in the portal nudges you to remove it.

The result is a credential-hygiene problem, not just clutter. A connection named o365-mailer may still hold a live token with mailbox permissions long after the automation that needed it was retired. It counts as standing access to a third-party service, sitting outside the usual identity reviews because it does not look like a role assignment or a service-principal secret, even though it functions like one.

What it costs / blast radius

Azure does not charge for an API Connection, so there is no cost angle. The blast radius is the retained credential: an orphaned connection can hold a still-valid token or key granting access to email, databases, or SaaS APIs, with no workflow accountable for it. That is standing access nobody is watching, and it is easy to miss precisely because it is not shaped like the identities security teams usually audit. (Authored assessment of Azure behavior.)

See it

Find them: API Connections and their referencing Logic Apps (orphans reference none)
// List every API Connection, then cross-check which workflow parameters
// reference them; any connection with no referencing workflow is orphaned.
Resources
| where type =~ 'microsoft.web/connections'
| project connId = tolower(id), name, resourceGroup, subscriptionId,
          api = tostring(properties.api.displayName),
          status = tostring(properties.statuses[0].status)
Fix: revoke and delete the connection so its stored credential stops existing
// Confirm no Logic App still uses it, then delete to purge the stored auth.
az resource delete \
  --resource-type Microsoft.Web/connections \
  --name o365-mailer \
  --resource-group rg-integration

How StratoLens helps

StratoLens flags API Connections that no Logic App references automatically and continuously across every subscription in your tenant, so a stored credential does not linger after the workflow that needed it is gone. You get the connections worth revoking surfaced for you instead of discovering them during an incident.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.